The hearing came as the deadline looms for the FAA to devise regulations and licensing that incorporate unmanned aerial vehicles (UAVs) into the national airspace. And the agency is in the process of approving six test sites for UAV operations to help prepare for the full introduction of UAVs in 2015.

Citing a September 2011 arrest of a Massachusetts man who plotted (with the aid of FBI agents posing as Al Qaeda operatives) to use remotely piloted model aircraft to blow up the Capitol dome and attack the Pentagon, subcommittee chairman Rep. Michael McCall expressed frustration that the Department of Homeland Security had not heeded the recommendations of the Government Accountability Office to get involved in drone safety and oversight. "In discussions with my subcommittee staff," McCall said, "department officials repeatedly stated that the Department of Homeland Security does not see this function as part of their mission, and has no role" in overseeing unmanned aircraft.

It’s not as if DHS is unaware of the issue. Todd Humphreys, an assistant professor at the University of Texas’ Cockrell School of Engineering Radionavigation Laboratory and a group of UT researchers demonstrated the impact of GPS "spoofing" on drones at a DHS-organized test in June. Humphreys, who presented earlier this year at a conference at the UK’s National Physical Laboratory on GPS vulnerabilities to cell phone systems, used UT’s GPS spoofing gear to fool a helicopter drone’s GPS with data that showed it was rising, resulting in it attempting to correct the fake climb; a safety pilot took over to prevent the drone from crashing.

"Hacking a UAV by GPS spoofing is but one expression of a larger problem: insecure civil GPS technology has over the last two decades been absorbed deeply into critical systems within our national infrastructure," Humphreys told the subcommittee in his testimony. "Besides UAVs, civil GPS spoofing also presents a danger to manned aircraft, maritime craft, communications systems, banking and finance institutions, and the national power grid."

While the skills and equipment required to spoof GPS are not currently available to "the average person on the street, or even the average anonymous hacker," Humphreys said, software-defined radio technology and "the availability of GPS signal simulators" are starting to put the capability within reach of "ordinary malefactors." Humphreys recommended that any unmanned aircraft over 18 pounds be required to be equipped with spoof-resistant GPS navigation technology, and that similar technology be required by DHS in timing systems that use GPS technology (like those used by cell phone towers and electrical grid systems).

Also testifying before the committee was Amie Stepanovich, Litigation Counsel for the Electronic Privacy Information Center. Stepanovich expressed concerns that the Department of Homeland Security's existing UAV operations (run by Customs and Border Patrol) did not have sufficient safeguards for citizens' privacy and civil rights. "DHS has not sought public comment on or published any specific rules or guidelines that restrict the surveillance practices of its drone program," she said. "Also, despite recent releases of records, the FAA’s process for the application and approval of a drone license are still mostly opaque, preventing any transparency or accountability for operators."

But while regulators pushed for more security in UAV operations, at least one witness expressed frustration with the speed of the FAA's progress on UAVs: Montgomery County, Texas Chief Deputy William McDaniel, whose department has been testing a small helicopter drone purchased with help from DHS. The Montgomery County Sheriff's Office has been operating its Shadowhawk drone under a limited Certificate of Authorization (COA) for testing, and hasn't been able to use the drone in actual operations. "To date, the Montgomery County Sheriff’s Office has only had one opportunity to utilize the Shadowhawk for an operational mission," McDaniel told the subcommittee. "However, the FAA denied our request for an emergency COA, citing there had to exist a 'loss of life or potential loss of life' before they would approve it. We certainly believed there to be a potential danger to the law enforcement officers who were going to conduct the mission. We opted to not press the issue at that point."

Responding to critics who have called the DHS-assisted purchase of the Shadowhawk a waste of federal tax dollars—especially since it can't be used in daily operations—McDaniel said, "The need (for the Shadowhawk) is there, and will continue to be. Those types of incidents we identified as being ideal for the Shadowhawk are actual types of incidents we have experienced over and over again in the past. It is only a matter of when the next such incident will occur."

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat